A security company is shipping today a new software release
that it claims will better protect your servers against hacker attacks —
whether or not you've installed the latest patches from Microsoft.
Primary Response 2.2 is software you install on Windows NT, 2000, 2003,
or Solaris servers. It "immunizes" your servers against undefined intrusions,
the way the human body defends itself against biological viruses it's never
seen before, according to its developer, Sana Security.
The basic security features of Primary Response 2.1, the software's
previous version, have just been certified by ICSA Labs, an
independent testing firm, according to a lab spokesperson. This is the
first such certification given to a new kind of program known as
host-based intrusion prevention systems or HIPS, according to
Dr. Steven Hofmeyr, Sana's founder and chief scientist.
How Host-Based Protection Stands Out
The defenses provided by HIPS stand squarely between two older, better-known
layers of enterprise security:
• Network-Based Intrusion Prevention Systems (NIPS).
A NIPS solution is typically a hardware appliance that's plugged in between
a company's servers and the Internet. Such devices monitor network traffic
and protect the servers from inappropriate packets, such as hacker attacks.
NIPS, however, cannot protect applications that are running on individual PCs
or defend against the behavior of insiders, which most intrusions are.
• Client Security Defenses.
If malware has come into the corporate environment via an e-mail attachment
or a download from a malicious Web site that an employee visited, security
software on the client machine (such as an antivirus program) might catch
the problem. But software on users' desktops can't monitor hacker attacks
that can bring down an entire server or cluster of servers.
• HIPS To The Rescue.
Host-based intrusion prevention systems, such as Primary Response, install
on each server that you wish to protect. Sana Security's software observes the
operation of every application that runs on each server. This builds up a
baseline of which behaviors are "normal." The security software can then
automatically halt activities that are abnormal, such as a hacker's attempt
to exploit a buffer overrun in a server application.
From Response Time of 180 Days to Zero Days
The need for Primary Response, Hofmeyr said in a telephone interview,
comes from the fact that software developers such as Microsoft can't
patch their products fast enough to defend against all possible attacks:
• Nimda and SQL Slammer.
The Nimda and Slammer worms, which swept the Internet in September 2001 and
January 2003, respectively, emerged approximately 120 and 180 days after
Microsoft had posted patches for the Windows vulnerabilities involved.
In hindsight, we might look back on the length of those grace periods as a
relic of "the good old days."
• Seven-Day Exploitation Times.
Later in 2003, two different worms required only seven days to exploit
Windows security holes. Microsoft had identified these flaws only a week
earlier in bulletins named MS03-039 and MS03-049, Sana Security says.
"The attackers are winning the race," Hofmeyr says in a
white paper,
The Case for Intrusion Prevention. This is because "in general, patching
is a slow, risky process." Many large corporations can't or won't test and
install patches on their mission-critical systems in only seven days.
• The Zero-Day Nightmare.
Although the worst-case scenario hasn't yet occurred, security researchers
warn that "the big one" is coming. That means a hacker exploit that rapidly
compromises network servers across the Internet before the software provider
has made a patch available — a so-called zero-day exploit.
Now Patch Only Every Three Months
Primary Response would have stopped all of the worms I've mentioned above, and
others, Hofmyer says, whether or not the applicable patches from Microsoft had
been installed on the affected servers. "All these attacks use unchecked
bounds and buffers, and we prevent that," he explains.
Installing a HIPS solution, unfortunately, doesn't eliminate the need for
companies to also purchase NIPS and client-based security software. But
corporations can save big bucks with HIPS by installing Microsoft patches only
once every calendar quarter, instead of once a month or more, Hofmeyr says.
One Sana Security customer, a global financial services conglomerate,
reportedly employs 21 full-time people dedicated to security patching in the
U.S. alone and spends $1.5 million every time Microsoft releases a security
bulletin. That's a chunk of change, especially when you consider that 18% of
security patches across all vendors are faulty and must be revised, according
to one
study.
Conclusion
Unless you think your company can install all security patches instantly and
predict all upcoming zero-day attacks perfectly, HIPS software looks like a new
layer of security you'll need to have.
A Primary Response 2.2 installation consists of at least one "management
server," which lists for $6,500, and one "agent" per server you wish to
protect. Each agent lists for $1,700. Sana Software offers
bundles at a lower cost.
The short list of competing, host-based intrusion-prevention software for you
to consider includes
Cisco Security Agent and Network Associates'
McAfee Entercept.
May the immune system be with you.